Target Hack: Ensuring It Doesn’t Happen Again



We have all heard about the recent Target breach, and read about the many retail breaches of the past, and wondered why they keep happening. While we don’t yet know what happened, maybe this article will help illustrate the problem and a solution.

Retail systems generally involve “hub and spoke” architectures. The spokes are networked systems such as Point of Sale (POS), and the hub is a data collection and processing facility. The POS calculates cash and credit-card transactions and negotiates approvals through a software exchange of card data with financial “clearing” systems. The transactions are encrypted at the POS and the key is a combination of the PIN (cash) or CVV (credit) + a certain number and configuration of the card numbers, and a private key provided by the financial service via a Hardware Service Module (HSM) that negotiates the communications between the POS and the clearing authority. Once authorization for a purchase is made, the POS data is transported (again in an encrypted form) to the retailer’s data collection and processing facility.  

The data that is transported to the collection and processing facility is usually encrypted in transit, and contains separate elements of the card number and the encrypted PIN or CVV. That data is then stored for various reasons, including data mining for marketing statistics purposes (sometimes to sell to other companies), as well as for secondary clearing and settlement with banks or their interval financial processing companies. Unfortunately that data is often stored in several disparate locations according to its utility to the retailer, and is often not encrypted where it is stored (though the PIN and/or CVV are usually encrypted).  

Payment card handling standards and regulations currently only require the data to be encrypted in transit—not where it is stored. This is fundamentally the reason that the most notorious data breaches have had such large scale impacts—the attackers went after the data stores rather than the POS. The volumes of unencrypted data in the stores was far more lucrative and easier to compile. How attackers get to that data, though, involves malware and APT activities.

There are three types of malware usually involved in retail data breaches:

    1) Phishing emails with malicious droppers/downloaders to infect systems with backdoor trojans, enabling remote access and exploitation of networked corporate systems

    2) “PUPs” (potentially unwanted programs)—which are usually administrative tools, sometimes legitimate, that allow password hash collection or cracking, Active Directory or LDAP browsing, SQL server interaction, RAR/ZIP packaging, Simple Mail transport, Proxy service configuration, and reconnaissance tools such as FPORT—to assist the attackers in their exploits of the networked systems by enumerating systems by type (POS, DB, AD, etc.), infecting those systems according to need, and establishing data harvesting and exfiltration methods.

   3) Harvesters that are custom utilities programmed to perform needed actions to harvest card data (RAM Scrapers such as DexterPOS malware), PIN/CVVs (Man-in-the-Middle HSM collector proxies), or bulk data (SQL miners that integrate network, database, and administrative functions), which provide persistent access, automated harvesting, and programmed exfiltration of data.

The malware described above provide compromise, exploitation, and persistent access to retail systems. This is the pattern of activities common to “advanced (or targeted) persistent threats” as it relates to retail environments. It should be noted that sometimes web services compromises take the place of phishing emails, and corporate systems usually have all the needed tools to facilitate what PUPs offer attackers. Sometimes attackers can simply make use of internet-accessible “administrative backdoors” such as RDP, VNC, or SSH accesses that are unfortunately common network vulnerabilities (in all corporate systems). Our investigations in retail data breaches has consistently identified these types of malware tools, tactics and procedures.

The reason that these breaches have occurred is that the industry approach to identifying malware is broken. Malware is part of the toolkit employed by APT actors. It facilitates the activities and accordingly is a critical indicator of attacks. 

Antivirus, White/Blacklist, in-flight recording, virtual machine reverse engineering, etc., are currently the tools available to retailers to assist in their defenses against constant APT attacks—but they don’t work. There are fundamentally two reasons: 1) they are after the fact, relying upon something someone else has seen (A/V and W/B lists) or resulting from analysis (IFR/VM); and 2) they are too “heavy” to serve the needs of the POS environment, as they require frequent signature updates or a human interaction.

Antivirus and White/Black list success depends upon either a signature or a heuristic match to an index of known patterns—from past submissions. Accordingly, the phishing emails that commonly employ Zero days or polymorphism to obfuscate recognizable signatures cannot be detected by Antivirus. Most of today’s malware also employs anti-VM or RE analytics tools, making them similarly undetectable by RE/VM. IFR and related Incident Responder tools are by their nature not defensive—they are reactive or investigative.  

Secondly, POS systems are stripped down and often out-of-date operating systems (usually Windows XP or NT, sometimes even DOS). They have limited RAM and almost no available storage; so voluminous signature files that require frequent updates simply cannot be supported by POS.

That leaves retail environments with the need for a solution that will recognize malware based upon its properties, in a lightweight and fast functional format. Cylance Infinity platform has that capability. Using an incredibly lightweight and extremely fast mathematical algorithm for determining maliciousness, Infinity technology can detect advanced and standard malware before the world has even seen it: truly predictive. This capability is what retail environments desperately need; the information stored in retail contains consumer identity and financial data that has real economic value and corresponding impact. Identifying and preventing constantly evolving (and evasive) compromise malware, man-in-the-middle data harvesters, and data exfiltrators simply cannot be overlooked.  

The risks and threats described above are not unique to retail; they can be applied in any teller-related environment including financial services, insurance, healthcare, etc. However, retail has the most risk of economic and financial loss affecting the market. Several things need to change to help retail limit these risks: 

    1) Payment card industry standards and regulations need to enforce a requirement to encrypt data wherever it is stored in retail or associated systems. There will still be some risk of RAM scrapers collecting transactional data, but at least the huge volumes of data that have been collected in past events from accessible databases will be prevented in future attacks (which will undoubtedly continue to occur).

    2) Retail must be provided with tools that recognize and prevent malware. Those tools must be suited to their needs, though. You can’t teach an old dog new tricks, but you can put a collar on it… Cylance Infinity tools (V and soon to be released PROTECT) are examples of the capabilities to address retail cyber threats. By applying math rather than signatures, malware can be identified even if it has never been seen before.

    3) This is certainly more long term—the entire US retailing/credit/banking system must consider moving to chip and PIN card system that the European and world markets have largely moved to. Chip and PIN systems prevent these types of man-in-the-middle attacks because it encrypts the data secured from the card all the way through the payment processing backend. While nothing is unbreakable, it’s a stronger solution that needs to be considered.

Retail (and associated payment card) breaches will continue to be pursued by attackers; they are simply too lucrative to ignore. In today’s retail system’s architecture, they are also too easy to accomplish.

About Shane Shook

Shane Shook, PhD, is well known in Fortune 100 global companies for providing experienced leadership in incident analysis and response. He has led small and large teams of forensic investigators and systems analysts in many of the most notorious information security breach events of the past two decades. A veteran of the USAF, he also served as a Cryptologic Linguist for ten years. Shane leads investigations and analysis for litigation and information security issues, including computer and network forensics, data analytics, software development and analysis, and infrastructure planning and testing. As CKO he helps the company stay aware of changing customer needs to adapt Cylance’s services portfolio and talents, and as VP of Consulting he works with clients and staff to build capabilities to detect, respond, and prevent compromises where possible.

Prior to joining Cylance, Shane worked with McAfee as an independent consultant and with PriceWaterhouseCoopers, LECG, and KPMG, where he led services teams as a Managing Director.

Shane speaks several languages and is fluent in many technologies. He has a PhD in Organization and Management, Communications Technology, an MBA, a Bachelor of Technology Management, and AAS in Applied Communications Technology, as well as a Diploma in Modern Standard Arabic.

For more information please visit